Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Oracle privacy security auditing : includes federal law compliance with HIPAA, Sarbanes Oxley & the Gramm Leach Bliley Act GLB
Nanda A., Burleson D., Rampant TechPress, 2003. 400 pp. Type: Book (9780972751391)
Date Reviewed: Mar 26 2004

With compliance emerging as an important topic in information systems, Nanda and Burleson’s book is timely. In this engaging book, the authors address in depth some implementation aspects of Oracle privacy and security that are not easily found elsewhere.

The book is divided into three sections. In the first, the authors provide an introduction to the concepts discussed: the Health Insurance Portability and Accountability Act (HIPAA), Oracle security, and Oracle auditing. In chapter 1, HIPAA is introduced via a short story, providing context for the discussion in the rest of the book. In chapter 2, security is presented in the context of the Oracle environment, but still in rather nontechnical terms. The follow-up in chapter 3 begins a discussion of auditing in the form of the continuing short story from chapter 1.

Sections 2 and 3 are rather technical, presenting a detailed discussion of Oracle’s security and auditing features. Most of the material is relevant to version 9i of the Oracle software, with some mention of previous versions and their associated limitations.

Chapter 4, a long chapter, starts Section 2. It addresses general Oracle security, and provides some helpful tips and scripts that are worth the price of the book. Chapter 5 continues with the special topic of virtual private databases (VPDs). The authors explore the concepts of VPDs and how they are used to secure a database, instantly partitioning existing tables into tables that appear differently to different people. Scripts and tips are offered that avoid the need to invoke Oracle’s advanced security option, which is not available in all installations. Chapter 6 closes the section with coverage of encryption, making use of the built-in Oracle toolset without the need for additional products. Network security in the context of Oracle is demonstrated with a well-written set of examples.

Section 3 covers auditing, and is divided into four chapters. These start with a general introduction to Oracle auditing, continuing on to more esoteric topics such as trigger auditing, auditing of grant security, and advanced newly introduced fine grained auditing. In chapter 8, the authors walk the reader through features that can be used to implement a variety of mandated accountability requirements. In chapters 9 and 10, Oracle system events trigger auditing and Oracle grants auditing are explored, with a number of scripts providing a helpful framework for solid auditing. In chapter 11, the often misunderstood fine-grained auditing (FGA) is addressed. Introduced with Oracle 9i, this capability extends the traditional auditing tool to cases where the database user is not relevant, such as in the case of application-authenticated users. Auditing of select statements is also used as an illustration, and complementary tools such as flashback queries are explained to complete the section on auditing.

The remainder of book includes a chapter on HIPAA compliance and the role of Oracle in its deployment, and a short chapter introducing some of the new features of Oracle 10g. The introduction of some 10g features prior to its official release is qualified, but adds little to the usefulness of the book.

The book is well organized, and covers some constructive ground in this specialized topic. Both authors know the material, and the few typographical errors do not detract from the impression that this book should be on the bookshelves of Oracle developers involved in securing or auditing a system subject to legal requirements.

The subtitle of the book is somewhat misleading, in that it does not cover, in any level of detail, material related to Sarbanes-Oxley or the Gramm-Leach-Bliley Act (GLB). The terms seem to have been included only for indexing purposes. However, most readers will probably not regret reading this work from cover to cover. Similarly, the list of key features at the back of the book includes coverage of the requirements of the Visa USA Cardholder Information Security Program (CISP), and the European Safe Harbor Act. After reading the 13 chapters, the reader will wonder if these topics were ever there, have succumbed to the editing hatchet, or if they are altogether missing in action.

To conclude, this work should provide a valuable reference on a topic that often lacks coverage in general database literature. At the border of data management and the newly found interest in compliance, this timely book has a place in any collection of Oracle texts.
Reviewer:  Jean-Pierre Kuilboer Review #: CR129329 (0409-1031)
Bookmark and Share
  Reviewer Selected
  
 
Security, Integrity, And Protection (H.2.7 ... )
 
 
Logging And Recovery (H.2.7 ... )
 
 
Management Audit (K.6.4 ... )
 
 
Oracle (H.2.4 ... )
 
 
Privacy (K.4.1 ... )
 
 
Database Administration (H.2.7 )
 
  more  
Would you recommend this review?
yes
no
Other reviews under "Security, Integrity, And Protection": Date
Security of random data perturbation methods
Muralidhar K., Sarathy R. ACM Transactions on Database Systems 24(4): 487-493, 1999. Type: Article		 Apr 1 2000
Towards a configurable security architecture
Olivier M. Data Engineering 38(2): 121-145, 2001. Type: Article		 Apr 17 2002
A propositional policy algebra for access control
Wijesekera D., Jajodia S. ACM Transactions on Information and System Security 6(2): 286-325, 2003. Type: Article		 May 29 2003
more...
E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use | Privacy Policy